RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 869071 - Password authentication for users from trusted domains does not work
Summary: Password authentication for users from trusted domains does not work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-22 23:11 UTC by Scott Poore
Modified: 2020-05-02 17:02 UTC (History)
9 users (show)

Fixed In Version: sssd-1.9.2-5.el6
Doc Type: Bug Fix
Doc Text:
No Documentation Needed
Clone Of:
Environment:
Last Closed: 2013-02-21 09:37:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
sssd_testrelm.com log during failed ssh with password attempt (11.89 KB, application/octet-stream)
2012-10-23 18:01 UTC, Scott Poore 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2637 0 None None None 2020-05-02 17:02:39 UTC
Red Hat Product Errata RHSA-2013:0508 0 normal SHIPPED_LIVE Low: sssd security, bug fix and enhancement update 2013-02-20 21:30:10 UTC

Description Scott Poore 2012-10-22 23:11:20 UTC 
Description of problem:

I'm trying to setup an AD Trust and to allow AD users to log into IPA Clients.

For the most part, I followed this:

https://fedoraproject.org/wiki/QA:Testcase_freeipav3_ad_trust

[root@rhel6-1 ~]# vi /etc/krb5.conf
...
[realms]
 TESTRELM.COM = {
...
  auth_to_local = RULE:[1:$1@$0](^.*@ADTESTDOM.COM$)s/@ADTESTDOM.COM/@adtestdom.com/
  auth_to_local = DEFAULT
}

[root@rhel6-1 ~]# vi /etc/sssd/sssd.conf
...
[domain/ipa.lan]
...
subdomains_provider = ipa
...
[sssd]
services = nss, pam, ssh, pac

[root@rhel6-1 ~]# service sssd restart
Stopping sssd:                                             [  OK  ]
Starting sssd:                                             [  OK  ]

[root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users external map' adtestdom_domain_users_external --external
---------------------------------------------
Added group "adtestdom_domain_users_external"
---------------------------------------------
  Group name: adtestdom_domain_users_external
  Description: adtestdom.com Domain users external map

[root@rhel6-1 samba]# ipa group-add --desc='adtestdom.com Domain users' adtestdom_domain_users
------------------------------------
Added group "adtestdom_domain_users"
------------------------------------
  Group name: adtestdom_domain_users
  Description: adtestdom.com Domain users
  GID: 1277200028

Here I ran into a problem where wbinfo returned:
[root@rhel6-1 ~]# wbinfo --online-status
BUILTIN : online
TESTRELM : online
ADTESTDOM : offline
AD2TESTDOM : offline

[root@rhel6-1 ~]# wbinfo -n "ADTESTDOM\Domain Users"
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name ADTESTDOM\Domain Users

After some troubleshooting and rebooting AD server, I found that the time was off on the AD server and saw this error in messages:

Oct 22 17:43:05 rhel6-1 winbindd[12089]:   kerberos_kinit_password TESTRELM failed: Ticket is ineligible for postdating

Fixed time on AD server.  I think that fixed it.  wbinfo --online status still showed offline but, the
rest seemed to work:

[root@rhel6-1 samba]# wbinfo -n "ADTESTDOM\Domain Users"
S-1-5-21-1246088475-3077293710-2580964704-513 SID_DOM_GROUP (2)

[root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users_external --external S-1-5-21-1246088475-3077293710-2580964704-513
[member user]:
[member group]:
  Group name: adtestdom_domain_users_external
  Description: adtestdom.com Domain users external map
  External member: S-1-5-21-1246088475-3077293710-2580964704-513
-------------------------
Number of members added 1
-------------------------

[root@rhel6-1 samba]# ipa group-add-member adtestdom_domain_users --groups adtestdom_domain_users_external
  Group name: adtestdom_domain_users
  Description: adtestdom.com Domain users
  GID: 1277200028
  Member groups: adtestdom_domain_users_external
-------------------------
Number of members added 1
-------------------------

Tailing the logs during ssh in shows this:



(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 74D180
(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Oct 22 19:08:53 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]

==> /var/log/secure <==
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1  user=testuser1

==> /var/log/sssd/sssd_testrelm.com.log <==
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 769C30
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=testuser1]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_get_subdomain_account_info_send] (0x0040): Invalid sub-domain request type.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,22,User lookup failed
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 769C30
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): domain: adtestdom.com
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): user: testuser1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): service: sshd
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): tty: ssh
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): ruser: 
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): rhost: 192.168.122.1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): authtok type: 1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): authtok size: 9
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): newauthtok size: 0
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): priv: 1
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [pam_print_data] (0x0100): cli_pid: 14064
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [ipa_auth] (0x0040): This operation is not allowed for subdomains!
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][adtestdom.com]
(Mon Oct 22 19:08:56 2012) [sssd[be[testrelm.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][adtestdom.com]

==> /var/log/secure <==
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=testuser1
Oct 22 19:08:56 rhel6-1 sshd[14064]: pam_sss(sshd:auth): received for user testuser1: 4 (System error)
Oct 22 19:08:58 rhel6-1 sshd[14064]: Failed password for testuser1 from 192.168.122.1 port 54362 ssh2

==> /var/log/messages <==
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.293018,  0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface 'lsarpc' already registered on endpoint
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.317630,  0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface 'samr' already registered on endpoint
Oct 22 19:09:02 rhel6-1 smbd[13657]: [2012/10/22 19:09:02.318604,  0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Oct 22 19:09:02 rhel6-1 smbd[13657]:   dcesrv_interface_register: interface 'netlogon' already registered on endpoint

==> /var/log/sssd/sssd_testrelm.com.log <==
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): dbus conn: 74D180
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Oct 22 19:09:03 2012) [sssd[be[testrelm.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]

Version-Release number of selected component (if applicable):


How reproducible:
unknown


Steps to Reproduce:
1.  Setup IPA server
2.  Setup AD server
3.  ipa-adtrust-install
4.  ipa trust-add --type=ad adtestdom.com --admin Administrator --password
5.  see above for following where this failed.
  
Actual results:


Expected results:


Additional info:
Comment 1 Scott Poore 2012-10-23 02:04:03 UTC 
Oh, and here's the version info:

[root@rhel6-1 ~]# rpm -q ipa-server sssd samba4
ipa-server-3.0.0-105.20121019T0244zgita5684b0.el6.x86_64
sssd-1.9.90-0.20121019T0223zgit66318df.el6.x86_64
samba4-4.0.0-37.el6.rc3.x86_64
Comment 2 Jakub Hrozek 2012-10-23 10:25:48 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1595
Comment 4 Scott Poore 2012-10-23 18:01:43 UTC 
Created attachment 632246 [details]
sssd_testrelm.com log during failed ssh with password attempt
Comment 6 Scott Poore 2012-10-23 18:07:30 UTC 
Entries from /var/log/secure:

Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6-1.testrelm.com  user=testuser1
Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): system info: [Decrypt integrity check failed]
Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6-1.testrelm.com user=testuser1
Oct 23 13:56:40 rhel6-1 sshd[31804]: pam_sss(sshd:auth): received for user testuser1: 7 (Authentication failure)
Oct 23 13:56:42 rhel6-1 sshd[31804]: Failed password for testuser1 from 192.168.122.61 port 36843 ssh2
Oct 23 13:56:42 rhel6-1 sshd[31805]: Connection closed by 192.168.122.61

Entries from /var/log/messages:

Oct 23 13:56:40 rhel6-1 [sssd[krb5_child[31806]]]: Decrypt integrity check failed
Oct 23 13:56:40 rhel6-1 [sssd[krb5_child[31806]]]: Decrypt integrity check failed


Entries from /var/log/krb5kdc.log:

Oct 23 13:56:40 rhel6-1.testrelm.com krb5kdc[30091](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.122.61: NEEDED_PREAUTH: testuser1 for krbtgt/TESTRELM.COM, Additional pre-authentication required
Oct 23 13:56:40 rhel6-1.testrelm.com krb5kdc[30091](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
Comment 7 Scott Poore 2012-10-23 18:15:57 UTC 
Oh, here's confirmation on the version too:

[root@rhel6-1 tmp]# rpm -q sssd
sssd-1.9.90-0.20121023.1813.git8662356.el6.x86_64
Comment 8 Sumit Bose 2012-10-23 20:34:21 UTC 
Can you add your sssd.conf as well?
Comment 9 Scott Poore 2012-10-23 20:47:38 UTC 
(In reply to comment #8)
> Can you add your sssd.conf as well?

[root@rhel6-1 tmp]# cat /etc/sssd/sssd.conf
[domain/default]

cache_credentials = True
[domain/testrelm.com]
debug_level = 10
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = testrelm.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
subdomains_provider = ipa
ipa_hostname = rhel6-1.testrelm.com
chpass_provider = ipa
ipa_server = rhel6-1.testrelm.com
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
debug_level = 10
services = nss, pam, ssh, pac
config_file_version = 2

domains = testrelm.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]
Comment 10 Sumit Bose 2012-10-24 09:28:58 UTC 
Can you retry with a clean cache? 

service sssd stop
rm -f /var/lib/sss/mc/* /var/lib/sss/db/*
service sssd start
Comment 11 Scott Poore 2012-10-24 15:16:16 UTC 
Ok, looks like it was a caching issue there:

[root@rhel6-1 ~]# service sssd stop
Stopping sssd:                                             [  OK  ]
[root@rhel6-1 ~]# rm -f /var/lib/sss/mc/* /var/lib/sss/db/*
[root@rhel6-1 ~]# > /var/log/sssd/sssd_testrelm.com.log
[root@rhel6-1 ~]# service sssd start
Starting sssd:                                             [  OK  ]
[root@rhel6-1 ~]# ssh -l testuser1 rhel6-1.testrelm.com
testuser1@rhel6-1.testrelm.com's password: 
Last login: Tue Oct 23 23:08:55 2012 from 192.168.122.23
id: cannot find name for group ID 1232801127
-sh-4.1$ 

So, it looks  like the test rpm worked.
Comment 12 Jakub Hrozek 2012-10-30 23:24:20 UTC 
Fixed upstream.
Comment 14 Steeve Goveas 2012-11-07 08:49:57 UTC 
[root@rasalghul ~]# ipa trust-find
---------------
1 trust matched
---------------
  Realm name: adlab.qe
  Domain NetBIOS name: ADLAB
  Domain Security Identifier: S-1-5-21-3655990580-1375374850-1633065477
  Trust type: Active Directory domain
----------------------------
Number of entries returned 1
----------------------------

[root@rasalghul ~]# kdestroy 

[root@rasalghul ~]# getent passwd fuser
fuser:*:1979001104:1979001104::/home/adlab.qe/fuser:

[root@rasalghul ~]# ssh -l fuser rasalghul.testrelm.com
fuser@rasalghul.testrelm.com's password: 
Last login: Wed Nov  7 14:13:10 2012 from rasalghul.testrelm.com
-sh-4.1$ pwd
/home/adlab.qe/fuser

-sh-4.1$ whoami
fuser

-sh-4.1$ id
uid=1979001104(fuser) gid=1979001104(fuser) groups=1979001104(fuser) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.1$ logout
Connection to rasalghul.testrelm.com closed.
Comment 15 Scott Poore 2012-11-19 22:53:48 UTC 
If I understand correctly, this one was found to be failing when the username (user@domain) is shorter than the IPA server domain name.  So will still work in some cases.  Expecting another fix from Dev for this asap.  Will move this back to Assigned so it can be handled appropriately and doesn't get lost in the shuffle.
Comment 16 Scott Poore 2012-11-20 14:09:51 UTC 
Ok, The issue prompting me to move back to assigned was determined to be a different issue and warranted a separate bug

https://bugzilla.redhat.com/show_bug.cgi?id=878262

I did confirm that when upn longer than IPA realm this still works.  Moving this back to Verified.
Comment 17 errata-xmlrpc 2013-02-21 09:37:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html
Note You need to log in before you can comment on or make changes to this bug.